BREAKING: SU data breach compromises info of thousands of Warwick students

Warwick Students’ Union (SU) has said that the personal data of thousands of students, including some home addresses, was available for over 36 hours.

The data breach – which took place from 2 to 4 August – saw all society members given ‘President’ permissions on the SU’s webpage, granting them access to membership lists and finance request history.

The latter may have included personal information like bank details and billing addresses, submitted as part of finance requests for the last six years.

13 societies had confidential information accessed during the breach, […] potentially exposing the names of hundreds of members

Warwick SU has confirmed that 13 societies had confidential information accessed during the breach, by nine individuals, potentially exposing the names of hundreds of members. The Union also confirmed that no finance requests had been approved during the period, though the error would have made this possible by any member.

Sports Clubs were not affected by the breach.

The SU attributed the breach to “planned system changes initiated by Warwick SU staff”, and said that steps were being taken to correct user permissions and prevent a similar breach from occurring.

Warwick SU outsources its society membership to digital services firm Membership Solutions Limited (MSL), which provides services for over 100 students’ unions across six countries. The Union confirmed, however, that no other organisations on the MSL system besides Warwick SU had been affected.

Members of several societies and sports clubs where membership lists had been viewed – including Warwick Pride, Autism at Warwick, and Warwick Enable – received emails on Friday notifying them of the leak. The SU directed concerned students to the Advice Centre for further guidance.

Warwick Student Cinema, one of the largest societies on campus by number of students, also saw the personal information of its members compromised.

All those directly affected have been informed today, and I can only apologise to those who are adversely impacted by the breach

Adam Skrzymowski, VP Societies

Adam Skrzymowski, Vice-President for Societies, told The Boar: “I thank those execs who reached out to me to report the issue when they discovered it, it was a huge help in helping us get it resolved.

“All those directly affected have been informed today, and I can only apologise to those who are adversely impacted by the breach. I’ve personally reached out to the societies most affected to offer some support.”

Skrzymowski said those with questions or concerns were welcome to contact him directly, and that support was available at the SU Advice Centre.

Emails seen by The Boar show at least one society president raised concerns of what they called potential GDPR risks in the SU’s system two months before the breach occurred. 

An example of the email sent out to students affected by the breach. | Image: The Boar

Warwick Pride – one of the societies whose data was compromised – said the incident reflected a repeated failure by the SU to protect vulnerable students’ information: “This isn’t the first data breach Warwick Pride has faced. Last year, the SU outed the identities of our Exec, and previously, the SU has stored information on students based on their legal names, not their preferred ones.

“MRF lists that date back to 2018 are also held, with the breach meaning anyone had access to seeing receipts, invoices and potentially screenshots from banking accounts that could reveal personal data.”

It seems the SU has failed to learn from its numerous past breaches of GDPR and has continued to put queer students at risk of being outed

Warwick Pride

“It seems the SU has failed to learn from its numerous past breaches of GDPR and has continued to put queer students at risk of being outed.” 

“We’ve had confirmation from the SU that our membership list was accessed by two students who otherwise wouldn’t have been able to. We are yet to be informed on the extent of information accessed.”

In a statement, the SU said it had complied with all required regulatory reporting requirements, and that “communications have been sent to those members affected by the breach and to all society Presidents to inform them whether their society was affected or not”.

It continued: “We would like to offer apologies to all students who have been affected by this, and the SU Advice Centre is available to offer support.

“The VP Societies, Adam Skrzymowski is fully engaged in dealing with this matter on behalf of students and is available to be contacted should anyone have concerns.”

It directed that complaints concerning the data breach could be sent to dataprotection@warwicksu.com.